Cybersecurity researchers have uncovered a cryptojacking campaign exploiting misconfigured DevOps servers like Docker, Gitea, and HashiCorp Consul and Nomad to mine cryptocurrencies illicitly. The campaign uses known vulnerabilities and misconfigurations, with threat actors downloading tools from GitHub to hide attribution efforts. #JINX-0132 #Cryptojacking
Keypoints
- The campaign targets publicly accessible DevOps servers such as Docker, Gitea, Consul, and Nomad.
- Attackers exploit known misconfigurations and vulnerabilities to deliver mining payloads like XMRig.
- Threat actors use GitHub repositories to download tools, obscuring their activities.
- Exposed Nomad APIs are exploited to create jobs that download and run cryptocurrency miners.
- Over 5,300 Consul servers and 400 Nomad servers are exposed worldwide, mainly in major countries.
Read More: https://thehackernews.com/2025/06/cryptojacking-campaign-exploits-devops.html